db-convertor @1.0.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6726
Ecosystem
npm
Summary
index.js defines a method queryDBConnect on the exported DivbloxDatabaseConnector class that base64-decodes a hardcoded constant HASH_KEY to the URL https://jsonkeeper.com/b/SH5ZW, fetches the session field from that JSON paste via axios, and pipes the returned content as stdin into a detached node child process. The fetched bytes are executed without inspection, hashing, signing, or origin checks. jsonkeeper.com is an anonymous mutable paste host — the operator can swap the payload at any time, so any caller who reaches this method runs arbitrary attacker-controlled code in the installer's Node process. The endpoint is obscured behind a base64 literal and atob() to evade casual review and string scanners, and the method is undocumented in the README and unrelated to the package's stated database-connection purpose. The package name ( db-convertor ) and keywords ( divblox , dx-db-connector ) impersonate the legitimate Divblox dx-db-connector package, increasing the likelihood that an installer who mistypes the dependency ends up with this backdoored class.
Source: amazon-inspector (7480b95a12688a84f3efd3d4c5c8a82c5c761f1f462eb22201f4385fb9bf691c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.